
A suspected China‑aligned espionage group tracked as UNK_MassTraction has been exploiting two critical vulnerabilities in Roundcube webmail to compromise physics and engineering departments at a handful of US and Canadian universities.
The activity, first seen in early May 2026, begins with a spear‑phishing mail that triggers the flaws to drop malicious JavaScript and establish a foothold inside the targeted networks.
The attackers leverage CVE‑2024-42009, rated CVSS 9.3, which permits stored cross‑site scripting that executes arbitrary JavaScript in the victim’s browser, and CVE‑2025-49113, scored CVSS 9.9, a server‑side flaw that can lead to remote code execution on the mail server.
Both flaws are listed in the US CERT Known Exploited Vulnerabilities catalogue and patches are available from the Roundcube project.
Initial infection drops a JavaScript payload named IceCube that harvests login credentials from the webmail interface, after which a webshell dubbed SquareShell is written to the server to facilitate further commands.
To maintain long‑term access the attackers install the VShell backdoor, allowing them to pivot laterally and exfiltrate research data from the compromised departments.
According to the Proofpoint analysis, fewer than ten universities have been confirmed as victims, with the focus on physics and engineering labs that often handle research tied to national security programmes.
While the group attempts to obscure its origins, the tactics, techniques and procedures bear resemblance to previously observed Chinese cyber‑espionage activity.
Organisations running Roundcube should immediately apply the latest security updates that address CVE‑2024-42009 and CVE‑2025-49113, and disable any unnecessary JavaScript execution within the webmail interface.
Security teams must monitor webmail logs for unexpected POST requests, look for unfamiliar files in the web root (such as SquareShell or VShell) and enforce multi‑factor authentication on all mail accounts.
Conducting regular phishing awareness training and restricting external connections from the mail server to only trusted IP ranges can reduce the chance of successful initial compromise.
Finally, maintaining an up‑to‑date asset inventory and conducting periodic compromise assessments will help detect any lingering webshells before they are used for data theft.